"No key available with this passphrase." - Jetson Xavier Boot Log with ROOTFS_ENC=1

kyoungh · May 31, 2025, 4:26am

Hello,

I am attempting to understand some messages in my Jetson Xavier’s boot log after flashing with root encryption (ROOTFS_ENC=1). My goal is to use a UNIQUE passphrase instead of a generic one.

Here’s the command I used for flashing:

python3 gen_ekb.py -chip t194 -kek2_key kek2.key -fv fv.txt \ 
          -in_sym_key2 sym2_t194.key -out eks_t194.img
cp eks_t194.img bootloader/

ROOTFS_ENC=1 ./flash.sh --generic-passphrase --no-flash \ 
     -i sym2_t194.key -u rsa_priv.pem -v sbk.key \
     jetson-xavier mmcblk0p1

cd bootloader 
sudo bash ./flashcmd.txt

Scenario 1: Using --generic-passphrase (Generic Key)

When I use the --generic-passphrase option, the boot log shows “Add unique key” and “Remove generic key.” messages.

[8.882328] Root device found: UUID=a5a9 
depmod: WARNING: could not open modules.order at /lib/modules/5.10.216-tegra: No such file or directory
depmod: WARNING: could not open modules.builtin at /lib/modules/5.10.216-tegra: No such file or directory
[8.945029] Cryptsetup version: 2.2.2
[9.952622] tegra_cec 3960000.tegra_cec: timeout in tegra_cec_native_write_1:193.
[9.9556051 tegra_cec 3960000.tegra_cec: Sent <Text View On> res: -62.
[9.958172] tegra_cec 3960000. tegra_cec: tegra_cec_init Done.
[10.836944] Add unique key
[23.723122] Remove generic key...
[27.469532] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
[29.333007] Add unique key
[39.391497] Remove generic key...

Scenario 2: Removing --generic-passphrase (Attempting Unique Key Only)

My intention is to use only a UNIQUE key. When I remove the --generic-passphrase option from the flash.sh command (effectively making the system rely solely on the unique key generated or provided), the boot log shows multiple “No key available with this passphrase.” messages.

[9.952000] tegra_cec 3960000. tegra_cec: timeout in tegra_cec_native_write_
[9.956200] tegra_cec 3960000. tegra_cec: Sent ‹Text View On> res: -62.
[9.958807] tegra_ cec 3960000. tegra_cec: tegra_cec_init Done.
No key available with this passphrase.
[12.318237] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
No key available with this passphrase.
[15.625887] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
[15.649353] Rootfs mounted over UUID=612f19b6-e556-4852-9ade-774cb9483751
[15.694106] Switching from initra to actual rootfs
SELinux: Could not open policy file ‹= /etc/selinux/targeted/policy policy.33: No
[15.890457] systend[1]: System time before build time, advancing clock.
[15.971830] systend[1]: systend 245.4 4ubuntu3:24 ruming in system mode. (*PAM
[15.976568] systemd[1]: Detected architecture`

Despite these “No key available with this passphrase.” messages, the Jetson Xavier still boots normally and I can access the root filesystem.

My Questions:

Significance of “No key available with this passphrase.”: Is this message indicative of a significant error or misconfiguration regarding the unique encryption key? Or can I safely ignore it since the device ultimately boots successfully?
Expected Behavior for Unique Key Only: When using ROOTFS_ENC=1 without --generic-passphrase, what is the expected boot log behavior regarding key management? Should I not see “No key available…” messages?
Troubleshooting for Unique Key: If these messages are indeed an issue, what steps should I take to ensure the unique key is correctly recognized and used during boot, eliminating these messages?

Any insights or guidance would be greatly appreciated!

Thank you

JerryChang · June 2, 2025, 6:07am

hello kyoungh,

>> Q1.

it should not boot into linux, it’s eks partition for eks_t194.img, please double check you’ve erase/re-flash the target correctly.

>> Q2.
please refer to Topic 291335 to create encrypted images with a generic key. it checks generic passphrase instead of unique ECID.

>> Q3
may I know the platform.. are you working with AGX Xavier DevKit?
please also check the Jetpack release version you’re used.

kyoungh · June 3, 2025, 11:52pm

Hello @JerryChang,
I flashed my Xavier with a custom carrier board using JetPack 5.1.5. I typically flash via the SDK Manager Docker. After clearing the Docker environment and re-flashing, the boot log remained the same as the logs mentioned above.

Does the message ‘No key available with this passphrase.’ indicate that secure boot or disk encryption is not functioning, thus leaving my Xavier unsecured?

JerryChang · June 4, 2025, 6:25am

hello kyoungh,

according above, it’s the board configuration file for Xavier Devkit.
I doubt it’s flash the board correctly since you’re using a custom carrier board.

kyoungh · June 5, 2025, 11:45pm

Hello @JerryChang ,

I’ve confirmed the issue isn’t board-specific, as it happens on both my custom carrier board and the Xavier Dev Kit with the “jetson-xavier” configuration.

My main observation is this: when I flash with --generic-passphrase, the Xavier shows “Add unique key” and “Remove generic key” messages during the very first boot. After that, on every subsequent boot, I receive the message: “No key available with this passphrase.”

It seems the generic key is indeed replaced by a unique key on that first boot. Is it safe to ignore this message?

Thanks again,

JerryChang · June 6, 2025, 2:38am

hello kyoungh,

did you meant it’s possible to reproduce with Jetson AGX Xavier DevKit?
may I know your steps in details.

kyoungh · June 16, 2025, 6:05am

Hello @JerryChang ,

I noticed that right after flashing the Xavier with the --generic-passphrase option, the generic key is automatically replaced with a unique per-device key upon the first reboot. At that time, I see the messages: “Add unique key” and “Remove generic key.”

Since then, on every subsequent reboot, I see the message: “No key available with this passphrase,” which is due to the device now having the unique key instead of the generic one.

This behavior aligns with the explanation provided in the NVIDIA documentation:

So I think I can ignore this message “No key available…”
Thanks.

anyway, here are my steps

python3 gen_ekb.py -chip t194 -kek2_key kek2.key -fv fv.txt \ 
          -in_sym_key2 sym2_t194.key -out eks_t194.img
cp eks_t194.img bootloader/

ROOTFS_ENC=1 ./flash.sh --generic-passphrase --no-flash \ 
     -i sym2_t194.key -u rsa_priv.pem -v sbk.key \
     jetson-xavier mmcblk0p1

cd bootloader 
sudo bash ./flashcmd.txt

Thank you.

system · July 16, 2025, 5:55am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cant boot after enable Security Boot(Jetson AGX Xavier) Jetson AGX Xavier boot , reflash , security	11	1965	May 11, 2022
Xavier doesn't boot after Secure Boot (PKC + SBK + KEK2) flash (JetPack 5.1.5 / L4T R35.6.1) Jetson AGX Xavier security	15	164	April 23, 2025
Secureboot enabled with encrypted rootfs Jetson AGX Xavier security	25	187	March 26, 2025
Failure to unlock 'crypt_root' with fused module when ROOTFS_ENC=1 Jetson Xavier NX boot , kernel , security	18	1397	January 31, 2024
Jetson Xavier NX - Avermedia EN715 - Secureboot Jetson Xavier NX security	31	1230	April 29, 2024
Encountering Backup and Restore Errors on JetPack 5.1.4 with Secure Boot Enabled Jetson Xavier NX boot , security	5	65	October 21, 2024
Encrypted Jetson Xavier AGX Jetson AGX Xavier security	19	648	November 20, 2023
Jetson was not booting after UEFI secure boot + DiskEncryption Jetson AGX Xavier kernel , uefi	5	89	May 5, 2025
Disk Encryption with OP-TEE Jetson AGX Xavier security , nvbugs	12	1527	August 22, 2023
The device can't start up after flashing one disk encryption image Jetson Xavier NX security	40	2789	March 2, 2022

"No key available with this passphrase." - Jetson Xavier Boot Log with ROOTFS_ENC=1

Related topics